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Jacob Appelbaum 30c3 Protect and Infect Slides 
http://cryptome.org/201 3/1 2/appelbaum-30c3.pdf 
Video of Presentation: 

https ://www.voutube.com/watch?v=b0w36GAyZIA 
30 December 2013 

Full 50 pages of the NSA ANT Catalog with crisp images in 1 1 separate files 
http://cryptome.org/201 3/1 2/nsa-cataloq.zip (16.2MB) 

Crisp QUANTUMTHEORY Images: 
http://crvptome.org/201 3/1 2/nsa-quantumtheory.pdf 
Crisp QUANTUM Tasking Images: 
http://crvptome.org/201 3/1 2/nsa-quantum-taskinq.pdf 



The 30C3, To Protect and Infect, The Militarization of the Internet 
Jacob Appelbaum @ioerror, 30 December 2013 
NSA catalog pages from video 
https ://www.voutube.com/watch?v=b0w36GAyZIA 



(TS//SI//REL) NIGHTSTAND - Close Access Operations • 
BaateMd Tested • Window s rMplndnOnn • Standalone System 



^ (U//FOUO) Standalone tool currenty 
running on an x86 laptop loaded with 
Linux Fedora Core 3. 

^ (TS//SI//REL) Exploitable Targets 
indude Win2k WmXP WnXPSPl. 
WINXPSP2 running ritemet Explorer 
versions 5 0-6.0 

> (TS//SI//REL) NS packet inyec&on can 
target one dient or mutiple targets on a 





NIGHTSTAND Hardware 



[TSJfSU/REL) Use of external amplifiers 
expenmencai and operaoonal scenarios 
NIGHTSTAND attacks from as far away 



and antennas n both 
have resulted m successful 
as eight miles under ideal 



emnronmentaJ conditions. 
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TCP flrafftc from a designated process id a se co ndary network via an^y»^ 
embedded 002 11 network device tf an trier n e t -c on nec t ed wireless 
Pome rs present SOMBERKNAVE can be used to allow OLYMPUS or 
VALOATOR to cal home* via 80211 from an a* -gapped target computer. I 
the 80211 nt efface is n use by the target SOMBER KNAVE vmM not attempt 
to transmt 



(TSJ/Si/fREL) Operaaonady. VALIDATOR irvLtaies a cal home. 
SOMBER KNAVE loggers from the named event and fries to assooaie **ti an 
accesspoA If cormecaon is successful. data ts sen over 802.11 to the ROC 
VALIDATOR receives nsmjcfrons downloads OLYMPUS, then dsassoaaies 
and gwes up c ontrol of tie 802.11 hardware OLYMPUS wd then be a£*e to 
comnuncaie wtfi the ROC via SOM6ERKNAVE. as long as there is an 
avarfabie access poet 




SOMBERKNAVE 






DNT mjlmiwi 



STUCCOMONTANA provides 
an upgrade or 



lor DNT 
of me 



The 




(TS//SI//REL) Currently. the intended DNT Impiar 
VALIDATOR, which must De run as a user process 
system. The vector of attack is the modification of tl 
modification wnM add the software to the its 

software to execute the ^JCCO^^fANA implant at the end of its native 






(TSMSU/REL) DROPOUT JEEP s a STRAfTBIZARRE based software mptat lor 
tfie Apple *>hone operjgm^aft^ ™* uses ftw OftMNEYPOOL framework 

EREEROW project. therefo r e t a supported 

n the TURBULENCE archftecture 
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DROPOUT 



(TS/7SWREL) DROPOUTJEEP is ft software enplane lor tf* Apple iPhone that 



retnevd contact kst recneval vocemad. gedocapon hoi me. c a mera capfcee. ceft 
l ower locftbon etc. Command c onarof. and data ertftraaon can occur over SMS 



for a GPRS 

covv ■: t ercr.ptec! 



(TS//S1//REL) IRATEMONK 
and laptop computers by 
through Master Boot Record 



on desktop 









(TS//SI//REL) 
from a varu 
supported fit 



systems 

tern Digital. Seagate. Maxtor, and Samsung hard di 
are: FAT. NTFS. EXT3 and UFS. 



(ts//si//rel) ThmgmmmBmxuiiw imaon, unitedrake. or 

STR Al TBAZZARE are used in conjunction with SLICKERV1CAR to upload the hard 
drive firmware onto the target machine to implant IRATEMONK and its payload (the 
implant installer). Once implanted. IRATEMONK's frequency of execution (dropping 
the payload) is configurable and wril occur when the target machine powers on. 



Status: Released / Deployed. Ready for Unit Cost: $0 

Immediate Delivery 




(TSJSUTPEL) ObN conceals &qtM components (TPiNTTYX USB 1.1 FS lull SNtches and 
HOWL£RMONK£Y (HM) PP Transcewer warm me USB SmA cable cc nngqpr 
MOCCASIN a me verm per man ently c o nnected to a USB keyboard Anomer verm can 
be made wth an inmodfied USB aama a M me amer end CJYM has the a tota y to 
oomrruiae id omer CM devces over me PP Ink usng an over-mesa* protocol cdM 




(TS7/SI//REL) COTTON MOUTH- 1 1 (CM-II) is a Hardwar 

Tap. which will provide a coven link over USB linlunto a targets networl^CM-ll is ini 
to be operate with a long haul relay subsystem, which is co- located within the 
equipment. Further integration is needed to turn this capability into a deployable sysi 




TS//SI//REL) CM-II will provide software persistence capability, “in-hekT re-programi 
ind coven communications with a host software implant over the USB. CM-l! m 
ximmunicate with Data Network Technologies (DNT) software (STRAITBIZARRE) th 
:overt channel implemented on the USB. using this communication channel I 
:ommands and data between hardware and software implants. CM- it will be a 
compliant implant based on CHIMNEYPOOL 

TS//SI//REL) CM-II consists of the CM-l digital hardware and the long haul relay co| 
somewhere within the target chassis A USB 2.0 HS hub with switches is concea 
Jual stacked USB connector, and the two Darts are hard-wired, orovidina a intra-chas 
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EWALK is a bi-directional lO/lOO/lOOObT (Gigabit) Etherr 
fithin a dual stacked RJ45 / USB connector. FIREWALK i: 
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(TS//SI//REL) This technique 
use the 




that 



:esso 



(TS//SI//REL) Through interdiction, the JTAG scan chain must be reconnected on 
the target system by removing the motherboard from the chassis and attaching the 
depopulated parts back onto the circuit board After this step is complete, the 
hardware implant itself must be attached to the motherboard The implants should 
already be programmed with the GOOSURGE application code and its payload, the 
implant installer Once implanted. GODSURGE's frequency of execution (dropping 
the payload) is configurable and will occur when the target machine powers on. 



Status: Released / Deployed. Ready for Unit Cost: $500 for Hardware 

Immediate Delivery and installation 



(TS//SI//REL TO USA.FVEY) The CTX4000 is a 

radar un*. II can be used to rflumrate a target s^f^^^W^PfflflSentoff net 
nformanon. Pnmaiy uses include VAGRANT and DROPMIRE collection 




(TS//S1//REL TO USA.FVEY) The CTX4000 provides the means to coiect signals 
that otherwise would not be collectable, or would be extremely difficult to collect 
and process. It provides the following features: 

• Frequency Range: 1 - 2 GHz. 

• Bandwidth: Up to 45 MHz 

• Output Power User adjustable up to 2 W using the interna! amplifier: external 
amplifiers make it posstole to go up to 1 kW 

• Phase adjustment with front panel knob 




(U) Capat»hbes 

(TSTSfa^EL TO USAJVEY) RAGE MAS TER provides a target for RE looting 
and allows tor ease? c ofae ca on of the VAGRANT video serial The current 
RAGEMASTER une taps the red veteo Ine on tie VGA cadle. It was found 
empncafy ttts provides fhe best video retro and deanest readout of fie 
moneor contents. 




(U) Concept of Operation 

(TS//SWREL TO USAJ^/EY) The RAGEMASTER taps the red video me 
b e tw ee n me video card wehn me desktop tme and the computer moneor. 
rypcally an LCD When me RAGEMASTER 

flurrtnaang sxjnai s modUaied warn me red vflWSorraB^WB^I^aon 
ft re>racfcated. where 1 is pcfced up at the radar. rtfmorfafMerl. and passed 
onto me proces 9 ng mt . such as a LES-2 and an external moneor. 
NIGHTWATCH GOTHAM, or (in the futire) NflEWPLATE. The processor 
recre ate s the honzoncal and vemcai sync of me targeted moneor. ttus atoang 
TAO per s onnef to see what ft (fasplayed on the t a rgeted moneor 



OREL TO USA.FVEY) Data RF reto-reiecror 
modulated wth target data (keyboard, low date rate 
ftumrvated with radar. 

[U) Capabilities 

[TSffSHREL TO USA^VEY) SURL YSPAWN 
ns the capabtey to gather beysaofces aatioul 
requiring any software rurmng on he targeted 
System, it also orty requ res tha t die targeted 
System be touche^^^MB^tofr' 

The simpbaty form 

factor to belabored tor speohc oparaaonal 
n rpianii it Fuaae capabtoes eel ndude 



return 





[U) Concept of 

[TS//SliREL TO USA.FVEY) The board taps nto the data tne from tie 
Keyboard to tie proc esso r. The board g enera t es a square wave osotaang at 
I p re se t frequency The deta-tne serial is used to sot tie sqart ewe 
frequency higher or lower, depending on the level of tie data-fcne sxjnal The 
square wave, n essence, becomes frequency shit keyed (FSK) \Mien tie 
jmt s ilumnated by a CW s*jnal from a nearby radar, the ilumnaang signal 
s aatptoude-modtiated (AM) wtei tvs square wave. The sgnal e re-racfcaied. 
vhere it is recewed by tie radar, demortitated. and the demodulated signal is 
processed to rectMr tie keystrokes. SURLYSPAWN 6 part of tie 
kNGR YNE IGHBOR famfy of radar retro-retectors 



(TS//Siy/REL TO USA.FVEY) Beacon RF retro-reflector Provides return 
when rihjminated with radar to provrte rough positional location 



(U) Capabilities 

(TS//S1//REL TO USA.FVEY) TAWDRYYARD is 
used as a beacon, typcaiy to assist n locatng 
and tdenbfyvig deployed RAGEMASTER units 
Current design allows it to be detected and located 
qurte easrfy within a 50* rad us of 




be tar 

Future capacities being considered are return of 
GPS coordinates and a unique target rtentiher and 
automatic processng to scan a target area tor 
presence of TAWDRYYARDs AJ components are 
COTS and — — to NSA 





(li) Concept of Operation 

(TS//SI//REL TO USA.FVEY) The board generates a square wave operating 
at a preset frequency The square wave is used to turn a FET (field effect 
transistor) on and off. When the unit s iHummated with a CW serial, the 
iumnatng signal is ampfctude-modutated (AM) with the square wave The 
■bMl « 1) ffieill Minim is niriMriiti brlhi iarif #iwn twntmmmm ii 



(S//SI) Hand held finishing tool used for geolocaling targeted handsets 
in the field. 



(S//SI) Features: 

• Split display/controller for 
flexible deployment 
capability 

• External antenna for DFing 
target: internal antenna for 
communication with active 
interrogator 

•Multiple technology 
capability based on SDR P®) waterwttch Handset df set 

development 

• Approximate size 3' x 7.5' x 1.25' (radio). 2.5' x 5' x 0.75" 
(display): radio shrink in planning stages 

• Display uses E-Ink technology for low light emissions 





